如何在本地部署 Darknights [明日方舟]
This tutorial will show you how to deploy Darknights locally.Main steps:[*]Set up main darknights server.
[*]Open your simulator.
[*]Run MITM and redirect all the simulator's traffic to it.
[*]Run frida server.
[*]Run frida script to hook the function VerifySignMD5RSA.
[*]Done.
Set up main Darknights server
[*]Install Mongodb and run mongod --dbpath /PATH/TO/DATABASE.
[*]Download Darknights-server from GitHub and run main.py. You need bottle >= 0.13,pymongo >= 3.11 and pycryptodome.
[*]Insatll Nginx for HTTPS. You need a domain and a valid pan-domain certificate for it. The domain should be resolved to127.0.0.1.
Example Nginx config(change the domain and certificate paths):server
{
listen 443 ssl;
ssl_certificate path/to/your/cert;
ssl_certificate_key path/to/your/privkey;
server_name as.yourdomain.com ak-gs-gf.yourdomain.com;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location ~ .*
{
proxy_pass http://localhost:9444;
}
}
server
{
listen 443 ssl;
ssl_certificate path/to/your/cert;
ssl_certificate_key path/to/your/privkey;
server_name ~^([^.]+)\yourdomain\.com$;
set $domain $1;
resolver 8.8.8.8;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location ~ .*
{
proxy_set_header Host $domain.hypergryph.com;
proxy_pass https://$domain.hypergryph.com;
proxy_ssl_server_name on;
}
}You can also set up the server-side on remote host. Just change the DNS config.Open your simulatorEverthing works well on Nox 7.0.3.3 Android 9 64bit. Other simulators are not tested. You may have a try.Run MITM and redirect all the simulator's traffic to it
[*]Install mitmproxy and run mitmweb -s proxy.py.
Example proxy.py(change the domain):
network_config = """
{"sign":"N+TjgIU1VP85wUeRVcmU6k9w3x3oTlKDXM9oK2TllRtryxTH2S9zMCAgUKIBvhinssBE7Dkll34G0llfUYdlnJTWar+OydnkEN0DA9ecWuoNdQRJ3fIAyYMDRsrTjcrkfUqDJ6GdB9MivqYBm5MKhFxzdI1UtY2kJxC9TZJR5m0=","content":"{\\"configVer\\":\\"5\\",\\"funcVer\\":\\"V030\\",\\"configs\\":{\\"V030\\":{\\"override\\":true,\\"network\\":{\\"gs\\":\\"https://ak-gs-gf.yourdomain.com\\",\\"as\\":\\"https://as.yourdomain.com\\",\\"u8\\":\\"https://as.yourdomain.com/u8\\",\\"hu\\":\\"https://ak.hycdn.cn/assetbundle/official\\",\\"hv\\":\\"https://ak-conf.yourdomain.com/config/prod/official/{0}/version\\",\\"rc\\":\\"https://ak-conf.yourdomain.com/config/prod/official/remote_config\\",\\"an\\":\\"https://ak-conf.yourdomain.com/config/prod/announce_meta/{0}/announcement.meta.json\\",\\"prean\\":\\"https://ak-conf.yourdomain.com/config/prod/announce_meta/{0}/preannouncement.meta.json\\",\\"sl\\":\\"https://ak.yourdomain.com/protocol/service\\",\\"of\\":\\"https://ak.yourdomain.com/index.html\\",\\"pkgAd\\":\\"https://ak.yourdomain.com/download\\",\\"pkgIOS\\":\\"https://apps.apple.com/cn/app/id1454663939\\",\\"secure\\":false}}}}"}
"""
classArkInterceptor():
def response(self, flow):
if not flow.request.path.find("network_config") == -1:
flow.response.set_text(network_config)
addons = [
ArkInterceptor()
]
[*]Install a VPN software (or other softwares that can redirect all your traffic to mitmproxy) on your simulator, and set the proxy in your simulator.
[*]Open mitm.it in your simulator's browser, download the certificate for Android devices and install. Note that you need to install the certificate as system certificate.
One possible way of installing the certificate as system certificate is to use Magisk and the Movecert module.
Run frida server
[*]Download ADB and execute adb.exe connect 127.0.0.1:YOUR_SIMULATOR_ADB_PORT.
[*]Download Frida server and run adb.exe -s 127.0.0.1:YOUR_SIMULATOR_ADB_PORT push frida-server /data/local/tmp. Note that you need to choose the suitable architecture of Frida server.
[*]Run adb.exe -s 127.0.0.1:YOUR_SIMULATOR_ADB_PORT shell.
[*]cd /data/local/tmp
[*]chmod 777 frida-server
[*]./frida-server
Run frida script to hook the function VerifySignMD5RSA
[*]Save the code below as hook.js
[*]function VerifySignMD5RSA(){
var func = get_func_by_offset("libil2cpp.so",0x10e79fd)
console.log('[+] hook VerifySignMD5RSA() '+func.toString())
Interceptor.attach(func, {
onEnter: function (args) {
console.log(args)
},
onLeave: function (retval) {
retval.replace(0x1);
}
});
}
function attach_matched(so_path){
if(so_path.indexOf('libil2cpp.so')<0 || is_matched == true){
return
}
is_matched = true
console.log('[*] '+so_path)
VerifySignMD5RSA();
}
function hook_dlopen(){
var func = null;
func = new NativePointer(Module.findBaseAddress("linker")).add(0x7190);
console.log('[+] dlopen '+ func.toString())
Interceptor.attach(func, {
onEnter: function (args) {
this.so_path = Memory.readCString(args)
},
onLeave: function (retval) {
attach_matched(this.so_path)
}
});
}
hook_dlopen();Different architectures can have different offests. For 32 bit simulator, change '0x7190' in hook_dlopen to '0x2101' .
[*]Run frida -U -l hook.js --no-pause -f com.hypergryph.arknights .
页:
[1]